04 01 even more powerful .wmf exploit code placed online
1. more sophisticated wmf exploit released
that will bypass IDS and AV
"We released a new version of the metasploit framework module for the WMF flaw, this one uses some header padding tricks and gzip encoding to bypass all known IDS signatures. Consider this "irresponsible" if you like, but it clearly demonstrates that a run-of-the-mill signature-based IDS (or A/V) is not going to work for this flaw"
stop all gzip ?
stop all unclear or manipulated headers ?
that will gives the gatekeepers work, sorting out everything
2. PandaLabs has detected a tool called WMFMaker being distributed across the Internet. This tool allows malicious WMFs to be generated from any other code, which allows malware to be dropped on user's systems
more about the wmf-maker that seems to be very easy
downloadable from www.egocrew.de
at your own risk
and if that is not scary enough, read this from the security-community
the wmf's can also be renamed to .doc (for WORD)and that because Internet Explorer instead of refusing to open renamed files (IE 7 maybe) opens them with the right tools instead of warning us http://www.securityfocus.com/archive/1/420548/30/0/threaded
and even more important
It is not only *.wmf extensions it is all files that have windows metafile headers that will open with the Windows Picture and Fax Viewer. Any file that has the header of a windows metafile can trigger this exploit.
The thumbnail view in Windows Explorer will parse the graphics files in a folder, even if the file is never explicitly opened. This is enough to trigger the exploit. Even more frightening is that you don't have to use the thumbnail view for a thumbnail to be generated. Under some
circumstances, just single-clicking on the file will cause it to be parsed.